|
|
|
|
|
|
by LukeShu
1156 days ago
|
|
|
.well-known/openid-configuration is specified as part of OpenID Connect (OIDC) Discovery[1]. OIDC is separate from and on-top-of OAuth2. The OIDC specs come through the OpenID Foundation, not through the IETF (so not RFCs). (Also, while what they specify is super useful, they aren't nearly as well written as RFCs tend to be :) ) [1]: https://openid.net/specs/openid-connect-discovery-1_0.html > that's not correct in the most common flow? No, he's right, I was misremembering (assuming "the most common" flow is the "authorization code" flow specified in RFC 6749 ยง4.1). The user-agent provides a one-time "authorization code" to the client via a GET, and then the client receives that "authorization code" and does its own POST to the IDP to exchange that "authorization code" for the final "access token". |
|
|